Here is my patch (attached) which Marc referred to fixing pf syncing
with openvpn. For a description of the issue and what this fixes see the
earlier thread in the mailing list at. Also I'm unaware/unaffected by
any issues with the opt interfaces in m0n0 w/ Openvpn. But if someone
can give me some details on the issue and possibly how to create the
issue I can look into fixing it.
Joe
-------------------------------------
Below is a e-mail to the list with details about the issue and what the
patch fixes.
Marc,
I actually had what sounds like the same problem. I found that I could
issue the following command from the exec.php once the tunnel is up to
fix the issue with the firewall rules.
/sbin/ipf -y
Once I figged that out I dove into the code and found that m0n0 runs the
above command directly after it sets up the openvpn tunnels. I can only
assume it does this to prevent the issue we are seeing. The problem is
that the scripts don't wait for the tunnel to completely come
up before issuing the command. So if your tunnel doesn't build quickly
enough the ipf -y executes to early. Now the solution! I'm attaching a
patch I've
been testing with and it seams to have solved the problem. It uses
openvpn's --route-up CMD line ARG to run a script after the tunnel is
up. The Script
just executes /sbin/ipf -y to make sure everything is kosher after the
tunnel is built. The side benefit of this is that if the tunnel were to
drop (problem with the hub)
and then later re-establish it should re-sync the FW again preventing
issues down the road.
One thing I'm not sure of is weather or not this will fix your issue
with the routes. What I would recommend for that is use the openvpn hub
server to push out routing
info to the peers which greatly increases the ease of the network
administrator to update routing info (only one place to change).
Although this wouldn't be possible if your using m0n0 as the hub because
this feature is not part of the interface currently.
If you want to use the patch make sure you chmod +x
[fs-root]/usr/local/bin/ovpn-routeup.sh before building your image.